CN113542222B - Zero-day multi-step threat identification method based on dual-domain VAE - Google Patents

Abstract

A zero-day multi-step threat identification method based on a dual-domain VAE (virtual private area) is based on a network attack defense model of the VAE, and basic known multi-step threat detection is realized by using a supervised learning technology; then, the recognition of zero-day multi-step threat is realized by utilizing the double domains of the VAE; the whole method comprises the following main steps: performing multi-step attack experiments to collect network attack flow data; respectively carrying out feature extraction and data preprocessing on the multi-step attack data set; training the disclosed multi-step attack data set through double-domain loss; designing a double-domain defense strategy and constructing a deep neural network classifier to realize zero-day threat identification and known multi-step threat detection. The method provided by the invention can be suitable for the environment of the Internet of things with limited resources, does not depend on expensive intrusion detection system software, and can be used for effectively discovering unknown multi-step attack threats.

Description

Zero-day multi-step threat identification method based on dual-domain VAE

Technical Field

The invention relates to the field of multi-step attack detection of the Internet of things, in particular to a zero-day multi-step threat identification method based on a dual-domain variation self-Encoder (VAE).

Background

With the development of new technologies such as artificial intelligence, big data and 5G, the information age of internet of things (Internet of Things, ioT) has come. As an important component of the internet of things, a large number of internet of things devices exist in the smart home, and the devices are often deployed at the edge end of the internet of things and are closely related to the daily life of people. Once these devices are attacked or hacked, serious privacy concerns and personal safety issues are raised. Currently, major security risks present for internet of things devices include Mirai botnet, distributed denial of service (Distributed Denial of Service, DDoS), denial of service (Denial of Service, doS), interference, fraud, man-in-the-Middle (MITM) attacks, privacy leaks, etc. Among the main reasons that make these devices vulnerable to attacks are their limited computing resources and long-term non-updated device firmware.

To protect internet of things devices, intrusion detection systems (Intrusion Detection System, IDS) are often deployed to detect cyber threats. Traditional IDS mainly adopts firewall, cryptography and other technologies, but deployment of these technologies needs to occupy a large amount of computing resources, and is applicable in traditional networks, and certain challenges exist for the internet of things environment with limited resources. In addition, these traditional IDSs establish inbound rules for the network through predefined rules and expert experience, which are difficult to apply for the internet of things that often exceeds rules and protocol behavior, because of the complexity and dynamics of the internet of things environment.

In recent years, the rapid development of artificial intelligence technology provides a good solution for the rapid development of artificial intelligence technology, can effectively identify abnormal events of the Internet of things, and has achieved great success in single-step attack detection. However, real world cyber attacks are often elaborate multi-step attacks, which are often unknown, so-called zero-day multi-step threats. The existing artificial intelligence-based internet of things IDS utilizes a large number of known threat samples to perform training learning, so that an intelligent IDS with attack recognition capability is established. However, the IDS is limited to identifying known threats or similar threats, and it is difficult to effectively judge unknown zero-day multi-step threats, which presents an entirely new challenge. Therefore, it is of great significance to design an internet of things equipment protection system capable of identifying known multi-step threats and unknown multi-step threats simultaneously.

Disclosure of Invention

In order to overcome the problem of zero-day multi-step threat detection, the invention provides a zero-day multi-step threat identification method based on a dual-domain VAE, a network attack defense model based on the VAE, basic known multi-step threat detection is realized by using a supervised learning technology, and the dual-domain of the VAE, namely a reconstruction domain and a potential domain, is utilized to realize zero-day multi-step threat identification.

In order to achieve the above object, the present invention provides the following technical solutions:

a zero-day multi-step threat identification method based on a dual-domain VAE, the method comprising the steps of:

(1) Building an intelligent home platform, and performing multi-step attack experiments to collect network attack flow data;

(2) Respectively carrying out feature extraction and data preprocessing on the collected experimental data and publicly available multi-step attack data sets;

(3) Building a network model based on the VAE, and training the disclosed multi-step attack data set through double-domain loss;

(4) Designing a double-domain defense strategy, and taking collected experimental data as zero-day multi-step threats to carry out verification test so as to realize zero-day threat identification;

(5) And (3) building a Deep Neural Network (DNN) classifier, and performing supervision training on known multi-step threats by utilizing multi-class cross entropy loss to realize the detection of the known multi-step threats.

In the step (1), the steps of collecting the experimental data of the multi-step attack are as follows:

step 101, taking a raspberry group as an intelligent home gateway, configuring Wi-Fi hot spots and starting, and carrying out network access on intelligent devices such as a heaven smart, an intelligent socket, an intelligent bulb and the like;

step 102, using a notebook computer with a Kali system as attack equipment and carrying out attack through a multi-step attack script, wherein the attack script mainly comprises DoS and MITM multi-step attacks;

at step 103, network traffic and logs are recorded at the gateway using the TCPdump tool and the traffic is saved as a PCAP format file.

In the step (2), feature extraction and preprocessing work is performed on publicly available DARPA-2000 (DDoS) multi-step attack data and DoS, MITM multi-step attack data sets experimentally collected in the step (1), and the process is as follows:

step 201, extracting the header characteristics of the network protocol by using a t-share tool, and storing the header characteristics as a csv file;

and 202, preprocessing the characteristic data, including missing value complement of 0, character encoding and normalization processing.

In the step (3), use is made ofThe reconstruction domain and the potential domain loss of the VAE train the multi-step attack data set after the step (2), the training aim of the VAE is to reconstruct the flow characteristics from the original flow characteristics X with smaller errors, and the distribution of potential vectors Z is close to Gaussian distributionWherein the VAE is composed of an encoder Q and a decoder P, the flow characteristic X is encoded into a potential vector Z by the encoder, and the input flow characteristic X is used for _i ＝{x ₁ ,x ₂ ,...x _N }. its data distribution is p (x).

Further, the VAE training process in step (3) is as follows:

step 301, defining a generative model VAE as:

p(x,z)＝p(x|z)p(z),

where z is a potential vector and p (·) is a probability density;

step 302, based on the VAE model definition, the loss function of the VAE is defined as

Wherein p is _data Representing the actual data distribution, θ representing the network parameters;

let q (z|x) represent the auxiliary distribution to approximate the true latent code distribution p (z|x), the variation derivation process of the loss function is:

where P (z) represents an a priori distribution representing the potential vector z, KL (·) represents KL divergence, Q (z|x) can be calculated by the Q encoder, and P (x|z) can be calculated by the P decoder. From the non-negativity of KL (q (z|x) |p (z|x)), the lower bound loss of log (p (x)) is obtained as

In the step (4), according to the VAE training in the step (3), we further design a two-domain defense strategy and perform verification test on the experimental data collected in the step (1) as zero-day multi-step threat. The reconstruction domain loss of the unknown sample is combined with the potential domain loss to further effectively distinguish between zero day multi-step threats as follows:

step 401, let lovp (x|z) be the reconstruction domain, KL (q (z|x) ||p (z|x)) be the latent domain;

step 402, for unknown samples, since they are not trained, their reconstruction domain losses do not necessarily converge and their potential domain characteristics do not necessarily approach the gaussian distribution in particular, and therefore a similarity (sim) method is used to distinguish the unknown samples, which is defined as follows:

where lambda represents the weight of the object,representing reconstruction domain anomaly probability, ++>Representing potential anomaly probability, J ₁ ,J ₂ Representing corresponding feature dimensions and latent code dimensions;

step 403, P _R (x _new ) Expressed as:

wherein the method comprises the steps ofRepresenting the average reconstruction error of a known sample, < >>Providing a new sample x _new And the difference between the known sample reconstruction domain errors;

in step 404,expressed as:

wherein the method comprises the steps ofRepresenting the difference between the known sample distribution and the unknown sample distribution measured by the KL measurement method,representing a normal Gaussian distribution of a known sample>Is calculated from the following formula:

wherein the method comprises the steps ofRepresenting the output profile of the positive encoder Q;

step 405, by calculating a scoreAverage similarity of (2) and comparing the average similarity with a threshold gamma to determine whether the current attack is a zero-day attack；

In step 406, by similarity comparison, if the attack is zero-day abnormality, the investigator expands the investigation.

In said step (5), according to step (4), if a multi-step attack is identified as a known threat, the implementation of the known threat detection by the DNN classifier comprises the following process:

step 501, merging the latent domain vector Z of the VAE with the original vector X, and inputting the merged vector Z into a classification model DNN;

step 502, optimizing by using multi-classification cross entropy loss, the principle is as follows:

wherein y is _i Representing the real label, p _i Representing a category prediction probability;

step 503, identifying the known threat, deducing the specific threat type, and issuing a system alarm.

The technical conception of the invention is as follows: collecting multi-step attack network flow data by building a home platform, extracting characteristics from the collected flow data file and publicly available multi-step attack data, building a network attack defense model based on a VAE, designing a zero-day multi-step attack detection strategy of a double-domain VAE, realizing zero-day threat identification, and finally performing supervised learning training by using a DNN classifier to realize detection of known multi-step threats.

The beneficial effects of the invention are mainly shown in the following steps: the invention utilizes the reconstruction domain and the potential domain of the VAE to realize the prediction and detection functions of zero-day threat; the method can adapt to the environment of the Internet of things with limited resources and does not depend on expensive IDS software; finally, this aspect also effectively identifies known multi-step attack threats.

Drawings

FIG. 1 is a built smart home platform;

FIG. 2 is a selected flow characteristic;

FIG. 3 is a flow chart of a zero day multi-step threat identification method based on a dual domain VAE.

Detailed Description

In order to more clearly describe the technical content of the present invention, a further description is made below in connection with specific examples.

Referring to fig. 1 to 3, a zero-day multi-step threat identification method based on a dual-domain VAE is provided, a network attack defense model based on the VAE is used to realize basic known multi-step threat detection by using a supervised learning technology, and then the dual-domain, i.e. a reconstruction domain and a potential domain, of the VAE is used to realize zero-day multi-step threat identification.

A zero-day multi-step threat identification method based on a dual-domain VAE, the method comprising the steps of:

(1) Building an intelligent home platform, and performing multi-step attack experiments to collect network attack flow data;

in the step (1), the steps of collecting the experimental data of the multi-step attack are as follows:

step 101, taking a raspberry group as an intelligent home gateway, configuring Wi-Fi hot spots and starting, and carrying out network access on intelligent devices such as a heaven smart, an intelligent socket, an intelligent bulb and the like;

step 102, using a notebook computer with a Kali system as attack equipment and carrying out attack through a multi-step attack script, wherein the attack script mainly comprises DoS and MITM multi-step attacks;

step 103, recording network traffic and logs by using a TCPdump tool at the gateway, and storing the traffic as PCAP format files;

(2) Respectively carrying out feature extraction and data preprocessing on the collected experimental data and publicly available multi-step attack data sets;

in the step (2), feature extraction and preprocessing work is performed on publicly available DARPA-2000 (DDoS) multi-step attack data and DoS, MITM multi-step attack data sets experimentally collected in the step (1), and the process is as follows:

step 201, extracting the header characteristics of the network protocol by using a t-share tool, and storing the header characteristics as a csv file;

and 202, preprocessing the characteristic data, including missing value complement of 0, character encoding and normalization processing.

In the step (3), the reconstruction domain and the potential domain loss of the VAE are utilized to train the multi-step attack data set after the step (2), the training of the VAE aims at reducing errors when reconstructing the flow characteristics from the original flow characteristics X, and the distribution of potential vectors Z is close to Gaussian distributionWherein the VAE is composed of an encoder Q and a decoder P, the flow characteristic X can be encoded by the encoder as a potential vector Z for the input flow characteristic X _i ＝{x ₁ ,x ₂ ,...x _N }. its data distribution is p (x).

(3) Building a network model based on the VAE, and training the disclosed multi-step attack data set through double-domain loss;

the VAE training process in the step (3) is as follows:

step 301, defining a generative model VAE as:

p(x,z)＝p(x|z)p(z),

where z is a potential vector and p (·) is a probability density;

step 302, based on the VAE model definition, the loss function of the VAE is defined as

Wherein p is _data Representing the actual data distribution, θ representing the network parameters;

let q (z|x) represent the auxiliary distribution to approximate the true latent code distribution p (z|x), the variation derivation process of the loss function is:

where P (z) represents an a priori distribution representing the potential vector z, KL (·) represents KL divergence, Q (z|x) can be calculated by the Q encoder, and P (x|z) can be calculated by the P decoder. According to KL (q (z|x) |p (z|x)) is non-negative, resulting in a lower bound loss of log (p (x)) of

(4) Designing a double-domain defense strategy, and taking collected experimental data as zero-day multi-step threats to carry out verification test so as to realize zero-day threat identification;

in the step (4), according to the VAE training in the step (3), we further design a two-domain defense strategy and perform verification test on the experimental data collected in the step (1) as zero-day multi-step threat. The reconstruction domain loss of the unknown sample is combined with the potential domain loss to further effectively distinguish between zero day multi-step threats as follows:

step 401, let lovp (x|z) be the reconstruction domain, KL (q (z|x) ||p (z|x)) be the latent domain;

step 402, for unknown samples, since they are not trained, their reconstruction domain losses do not necessarily converge and their potential domain characteristics do not necessarily approach the gaussian distribution in particular, and therefore a similarity (sim) method is used to distinguish the unknown samples, which is defined as follows:

where lambda represents the weight of the object,representing reconstruction domain anomaly probability, ++>Representing potential anomaly probability, J ₁ ,J ₂ Representing corresponding feature dimensions and latent code dimensions;

step 403, P _R (x _new ) Expressed as:

wherein the method comprises the steps ofRepresenting the average reconstruction error of a known sample, < >>Providing a new sample x _new And the difference between the known sample reconstruction domain errors;

in step 404,expressed as:

wherein the method comprises the steps ofRepresenting the difference between the known sample distribution and the unknown sample distribution measured by the KL measurement method,representing a normal Gaussian distribution of a known sample>Is calculated from the following formula:

wherein the method comprises the steps ofRepresenting the output profile of the positive encoder Q;

step 405, by calculating a scoreThe average similarity of the current attack is compared with a threshold gamma, and whether the current attack is a zero-day attack can be judged;

in step 406, by similarity comparison, if the attack is zero-day abnormality, the investigator expands the investigation.

(5) And (3) building a Deep Neural Network (DNN) classifier, and performing supervision training on known multi-step threats by utilizing multi-class cross entropy loss to realize the detection of the known multi-step threats.

In said step (5), according to step (4), if a multi-step attack is identified as a known threat, the implementation of the known threat detection by the DNN classifier comprises the following process:

step 501, merging the latent domain vector Z of the VAE with the original vector X, and inputting the merged vector Z into a classification model DNN;

step 502, optimizing by using multi-classification cross entropy loss, the principle is as follows:

wherein y is _i Representing the real label, p _i Representing a category prediction probability;

step 503, identifying the known threat, deducing the specific threat type, and issuing a system alarm.

Claims (3)

1. A zero-day multi-step threat identification method based on a dual-domain VAE, the method comprising the steps of:

(1) Building an intelligent home platform, and performing multi-step attack experiments to collect network attack flow data;

(2) Respectively carrying out feature extraction and data preprocessing on the collected experimental data and publicly available multi-step attack data sets;

(3) Building a network model based on the VAE, and training the disclosed multi-step attack data set through double-domain loss;

(4) Designing a double-domain defense strategy, and taking collected experimental data as zero-day multi-step threats to carry out verification test so as to realize zero-day threat identification; let log p (x|z) be the reconstruction domain, KL (q (z|x) ||p (z|x)) be the latent domain; unknown samples are distinguished using a similarity (sim) method defined as follows:

where lambda represents the weight of the object,representing reconstruction domain anomaly probability, ++>Representing potential anomaly probability, J ₁ ,J ₂ Representing corresponding feature dimensions and latent code dimensions;

by calculating scoresThe average similarity of the current attack is compared with a threshold gamma, and whether the current attack is a zero-day attack can be judged; through similarity comparison, when the attack is added as zero-day abnormality, the investigator expands the investigation;

(5) Building a deep neural network DNN classifier, and performing supervision training on known multi-step threats by utilizing multi-classification cross entropy loss to realize known multi-step threat detection;

in the step (3), training the multi-step attack data set after the step (2) by using the reconstruction domain and the potential domain loss of the VAE, wherein the VAE training process is as follows:

step 301, defining a generative model VAE as:

p(x,z)＝p(x|z)p(z),

where z is a potential vector and p (·) is a probability density;

step 302, based on the VAE model definition, the loss function of the VAE is defined as

Wherein p is _data Representing the actual data distribution, θ representing the network parameters;

let q (z|x) represent the auxiliary distribution to approximate the true latent code distribution p (z|x), the variation derivation process of the loss function is:

where P (z) represents an a priori distribution representing the potential vector z, KL (·) represents KL divergence, Q (z|x) is calculated by the Q encoder, P (x|z) is calculated by the P decoder, and from the non-negativity of KL (Q (z|x) ||p (z|x)), the lower bound loss of log (P (x)) is obtained as

In said step (5), according to step (4), if a multi-step attack is identified as a known threat, the implementation of the known threat detection by the DNN classifier comprises the following process:

step 501, merging the latent domain vector Z of the VAE with the original vector X, and inputting the merged vector Z into a classification model DNN;

step 502, optimizing by using multi-classification cross entropy loss, the principle is as follows:

wherein y is _i Representing the real label, p _i Representing a category prediction probability;

step 503, identifying the known threat, deducing the specific threat type, and issuing a system alarm.

2. The method for identifying zero-day multi-step threat based on dual-domain VAE of claim 1, wherein in step (1), the step of collecting multi-step attack experimental data is as follows:

step 101, taking a raspberry group as an intelligent home gateway, configuring Wi-Fi hot spots and starting, and carrying out network access on intelligent devices such as a heaven smart, an intelligent socket, an intelligent bulb and the like;

step 102, using a notebook computer with a Kali system as attack equipment and carrying out attack through a multi-step attack script, wherein the attack script mainly comprises DoS and MITM multi-step attacks;

at step 103, network traffic and logs are recorded at the gateway using the TCPdump tool and the traffic is saved as a PCAP format file.

3. The method for recognizing zero-day multi-step threat based on dual-domain VAE according to claim 1 or 2, wherein in the step (2), feature extraction and preprocessing are performed on publicly available DARPA-2000 (DDoS) multi-step attack data and DoS, MITM multi-step attack data sets experimentally collected in the step (1), as follows:

step 201, extracting the header characteristics of the network protocol by using a t-share tool, and storing the header characteristics as a csv file;

and 202, preprocessing the characteristic data, including missing value complement of 0, character encoding and normalization processing.